search

laminas-api-tools / api-tools-oauth2

Laminas module for implementing an OAuth2 server
https://api-tools.getlaminas.org/documentation
BSD 3-Clause "New" or "Revised" License
11 stars 15 forks source link

BcryptTrait.php checkpassword() should accept array, but no longer does #36

Closed cvigorsICBF closed 3 years ago

cvigorsICBF commented 3 years ago

BC Break Report

Q A
Version 1.8.x

Summary

In api-tools-oauth2/src/Adapter/BcryptTrait.php, using checkPassword() is demanding that the input parameters "must be of type string, array given" , but the function clearly expects $user to be an array. See function below. $user['password'] is what is used in the function. This is causing a break in authentication using the password grant_type in oauth 2.0.

** protected function checkPassword(string $user, string $password): bool { return $this->verifyHash($password, $user['password']); }

Previous behavior

The previous function would a have accepted an array

Current behavior

The current function no longer accepts and array, and is insisting on a string

How to reproduce

Carry out a password grant_type authentication using the previous library version it should work. Carry out a password grant_type authentication using the current library version it should now fail.

Alternatively, In BcryptTrait.php, the password grant_type will fail with checkPassword until 'string $user' is changed to '$user' in: protected function checkPassword(string $user, string $password): bool

Perhaps change the typing to the string|array $user